b'U.S. Department of Agriculture\n Office of Inspector General\n      Northeast Region\n         Audit Report\n\n\n FOOD AND NUTRITION SERVICE\n SECURITY OVER INFORMATION\n   TECHNOLOGY RESOURCES\n\n\n\n\n                  Report No.\n                  27099-18-Hy\n                  September 2001\n\x0c                   UNITED STATES DEPARTMENT OF AGRICULTURE\n                                  OFFICE OF INSPECTOR GENERAL\n\n                                      Washington D.C. 20250\n\n\n\n\nDATE:           September 5, 2001\n\nREPLY TO\nATTN OF:        27099-18-Hy\n\nSUBJECT:        Food and Nutrition Service\n                Security Over Information Technology Resources\n\nTO:             George A. Braley\n                Acting Administrator\n                Food and Nutrition Service\n\nATTN:           Sharon Eldred\n                Acting Director\n                Grants Management Division\n\n\nThis report presents the results of the subject audit. Your response to the official draft,\n\ndated July 24, 2001, is included as exhibit A with excerpts and the Office of Inspector\n\nGeneral\xe2\x80\x99s position incorporated into the Findings and Recommendations Section of the\n\nreport.\n\n\nBased on information provided, we have reached management decision for all\n\nrecommendations (Nos. 1 through 26) included in the report. Please follow your internal\n\nprocedures in forwarding final action correspondence to the Office of the Chief Financial\n\nOfficer.\n\n\nWe appreciate the cooperation and assistance extended to us during this audit.\n\n\n          /s/\nRICHARD D. LONG\nAssistant Inspector General\n  for Audit\n\x0c                        EXECUTIVE SUMMARY\n\n                         FOOD AND NUTRITION SERVICE\n                          SECURITY OF INFORMATION\n                           TECHNOLOGY RESOURCES\n\n                         AUDIT REPORT NO. 27099-18-HY\n\n\n                                     The overall objective of this audit was to assess\n      RESULTS IN BRIEF               the threat of penetration of Food and Nutrition\n                                     Service (FNS) mission critical systems and\n                                     determine the adequacy of the security over the\n         local and wide area networks. FNS utilizes its computer systems to process,\n         analyze, and support more than $32 billion in financial and program data on\n         an annual basis.\n\n            Our audit of FNS\xe2\x80\x99 security over information technology (IT) resources has\n            disclosed serious security vulnerabilities and inadequate controls over\n            access to FNS\xe2\x80\x99 computer network and systems. These weaknesses\n            occurred because adequate controls have not always been established\n            and/or implemented and agency management has not placed a priority on or\n            budgeted funds to address Office of Management and Budget (OMB)\n            requirements. These weaknesses indicate a need for a stronger IT security\n            program. As technology has enhanced the ability to share information, it\n            also made it more vulnerable to unlawful and destructive penetration and\n            disruptions. We believe unless corrective actions are timely implemented,\n            FNS is at risk that financial and program data may be compromised.\n\n            We identified the following material weaknesses during our audit.\n\n            \xe2\x80\xa2   FNS has systems on its network that have potentially serious security\n                vulnerabilities. Agency officials have not effectively ensured that FNS\xe2\x80\x99\n                operating systems are free from known security vulnerabilities. These\n                vulnerabilities, if left uncorrected, could jeopardize the security of FNS\xe2\x80\x99\n                network and its critical and sensitive financial and program data.\n\n            \xe2\x80\xa2   Adequate physical controls have not been implemented at the facilities\n                reviewed. Door lock controls were not always utilized. As a result,\n                computer resources are vulnerable to unauthorized access.\n\n\n\nUSDA/OIG-A/27099-18-Hy                                                              Page i\n\x0c                     \xe2\x80\xa2    User ID and password security, as well as FNS\xe2\x80\x99 process for reviewing\n                          continuing system access to financial and payment systems, are not\n                          always effectively managed to ensure individual accountability. Although\n                          our audits have not detected unauthorized access, FNS\xe2\x80\x99 security\n                          processes and controls may not prevent or detect unauthorized\n                          individuals from accessing, modifying, or destroying sensitive financial\n                          and program information.\n\n                     \xe2\x80\xa2    Weaknesses in logical controls1 exist in two of FNS\xe2\x80\x99 systems. Password\n                          features have not always been implemented and the user ID password\n                          for one system was not encrypted. FNS officials stated they did not\n                          activate these features because of compensating controls (for example,\n                          only the system administrator had access to the unencrypted file) and\n                          cost considerations. However, these compensating controls do not\n                          adequately protect passwords from unauthorized users. Additionally, we\n                          observed one individual\xe2\x80\x99s log-on ID and user password posted within\n                          their workstation. As a result, there is a risk that unauthorized individuals\n                          could access these systems, alter data, and not be detected.\n\n                     \xe2\x80\xa2    FNS\xe2\x80\x99 planning for contingencies need improvement. FNS has not\n                          always updated or tested its contingency plans in a timely manner nor\n                          did they always correct deficiencies identified in its vulnerability\n                          assessments. Agency officials advised this occurred because ITD has\n                          not placed a priority on or budgeted funds for contingency planning or\n                          established a schedule for updating and testing its contingency plans.\n                          As a result, FNS\xe2\x80\x99 computer facilities are susceptible to damage or\n                          unplanned down time in the event of a disaster or unexpected events.\n\n                     \xe2\x80\xa2    FNS has not always adhered to OMB requirements that risk\n                          assessments and system certifications2 be completed at least every\n                          3 years. Five of nine mission critical systems, which contain critical and\n                          sensitive information, have not been assessed within the past 3 years.\n                          Additionally, certifications have never been obtained for three systems\n                          and re-certification for three other systems are past due. As a result, the\n                          vulnerability of threats to the confidentiality and integrity of information,\n                          the availability of its systems, and the protection of information resources\n                          is substantially increased.\n\n                     \xe2\x80\xa2    FNS has not validated that all data for one system are encrypted before\n                          transmission to the National Information Technology Center (NITC). This\n\n1\n     Logical controls involve the use of computer hardware and software to prevent or detect unauthorized access by requiring users\n    to input IDs, passwords, or other identifiers that are linked to predetermined access privileges.\n2\n    System certification is the method FNS management uses to provide written agency management authorization that major\n    systems are ready for use. These certifications assure management that operational, personnel, and technical controls are\n    functioning effectively.\n\nUSDA/OIG-A/27099-18-Hy                                                                                                   Page ii\n\x0c                          occurred because FNS has not conducted reviews to determine whether\n                          all States have implemented the encryption software provided to them.\n                          As a result, sensitive Privacy Act data may be at risk when sent from\n                          States because it may not be encrypted.\n\n                     \xe2\x80\xa2    Incompatible duties exist within the ITD. The network LAN administrator,\n                          who is a super user3 of the LAN, is also the deputy security officer\n                          responsible for maintaining the security over the LAN. As a result, there\n                          is increased risk that data could be altered and not be detected.\n\n                                         We recommend that FNS take immediate\n     KEY RECOMMENDATIONS                 action to eliminate the high and medium risk\n                                         vulnerabilities found on its systems and\n                                         implement the following procedures to improve\n             its security vulnerabilities and inadequate controls.\n\n                     \xe2\x80\xa2    Establish procedures for conducting periodic scans at FNS National,\n                          regional, and field offices where servers are maintained.\n\n                     \xe2\x80\xa2    Establish controls that ensure computer rooms are locked at all times\n                          and combinations to locks are changed periodically and after all\n                          personnel changes.\n\n                     \xe2\x80\xa2    Implement controls to remove log-on IDs and passwords from all FNS\n                          systems upon an individual\xe2\x80\x99s separation from employment, identify and\n                          remove inactive system users from authorization lists, and require\n                          supervisory approval for all FNS users of Treasury systems.\n\n                     \xe2\x80\xa2    Establish controls to ensure that passwords have a maximum life of\n                          90 days, a minimum length of 6 to 8 characters, and be periodically\n                          changed; and require password files be encrypted and personnel protect\n                          passwords from disclosure.\n\n                     \xe2\x80\xa2    Establish controls to ensure all contingency plans are updated at least\n                          annually, to include all operating environment changes and system\n                          improvements, and establish a schedule for testing all contingency plans.\n\n                     \xe2\x80\xa2    Establish procedures to ensure that risk assessments of all computer\n                          systems are conducted every 3 years or whenever a significant\n                          modification is made, establish controls for ensuring that system\n                          certifications and re-certifications are timely completed, and establish a\n\n\n3\n    Super users have access to all data and programs on the LAN.\n\nUSDA/OIG-A/27099-18-Hy                                                                      Page iii\n\x0c               schedule and expedite the completion of all system certifications and\n               re-certifications.\n\n           \xe2\x80\xa2   Perform reviews of all States to ensure encryption software has been\n               implemented and is being utilized for the transmission of Privacy Act\n               data.\n\n           \xe2\x80\xa2   Delegate the responsibility for data security over the LAN to either the\n               information systems security officer or the deputy information systems\n               security officer.\n\n                                       FNS agreed with the audit recommendations\n     AGENCY RESPONSE                   and will implement applicable procedures and\n                                       controls to improve security over information\n                                       technology resources.\n\n                                       We concur with the proposed management\n        OIG POSITION                   decisions.\n\n\n\n\nUSDA/OIG-A/27099-18-Hy                                                         Page iv\n\x0c                                              TABLE OF CONTENTS\n\n\nEXECUTIVE SUMMARY........................................................................................................ i\n  RESULTS IN BRIEF ........................................................................................................... i\n  KEY RECOMMENDATIONS............................................................................................ iii\n  AGENCY RESPONSE...................................................................................................... iv\n  OIG POSITION.................................................................................................................. iv\nINTRODUCTION ................................................................................................................... 1\n  BACKGROUND................................................................................................................. 1\n  OBJECTIVES..................................................................................................................... 4\n  SCOPE ............................................................................................................................... 4\n  METHODOLOGY............................................................................................................... 4\nFINDINGS AND RECOMMENDATIONS ............................................................................. 5\nCHAPTER 1........................................................................................................................... 5\nVULNERABILITY TESTS DISCLOSED NUMEROUS SECURITY WEAKNESSES ON\nSYSTEMS IN FNS\xe2\x80\x99 NETWORK............................................................................................ 5\n  FINDING NO. 1 .................................................................................................................. 5\n  RECOMMENDATION NO. 1 ............................................................................................. 7\n  RECOMMENDATION NO. 2 ............................................................................................. 7\n  RECOMMENDATION NO. 3 ............................................................................................. 8\nCHAPTER 2........................................................................................................................... 9\nPHYSICAL SECURITY OF COMPUTER FACILITIES NEEDS IMPROVEMENT.............. 9\n  FINDING NO. 2 .................................................................................................................. 9\n  RECOMMENDATION NO. 4 ........................................................................................... 10\n  RECOMMENDATION NO. 5 ........................................................................................... 11\nCHAPTER 3......................................................................................................................... 12\nSYSTEM ACCESS CONTROLS NEED STRENGTHENING ............................................ 12\n  FINDING NO. 3 ................................................................................................................ 12\n  RECOMMENDATION NO. 6 ........................................................................................... 15\n  RECOMMENDATION NO. 7 ........................................................................................... 15\n  RECOMMENDATION NO. 8 ........................................................................................... 16\n  FINDING NO. 4 ................................................................................................................ 16\n  RECOMMENDATION NO. 9 ........................................................................................... 18\n  RECOMMENDATION NO. 10 ......................................................................................... 19\n  RECOMMENDATION NO. 11 ......................................................................................... 19\n  RECOMMENDATION NO. 12 ......................................................................................... 19\n  RECOMMENDATION NO. 13 ......................................................................................... 20\n  RECOMMENDATION NO. 14 ......................................................................................... 20\n  FINDING NO. 5 ................................................................................................................ 20\n  RECOMMENDATION NO. 15 ......................................................................................... 22\n  RECOMMENDATION NO. 16 ......................................................................................... 22\nUSDA/OIG-A/27099-18-Hy                                                                                                        Page v\n\x0cCHAPTER 4......................................................................................................................... 24\nCONTINGENCY PLANNING NEEDS IMPROVEMENT.................................................... 24\n  FINDING NO. 6 ................................................................................................................ 24\n  RECOMMENDATION NO. 17 ......................................................................................... 26\n  RECOMMENDATION NO. 18 ......................................................................................... 26\n  RECOMMENDATION NO. 19 ......................................................................................... 27\n  FINDING NO. 7 ................................................................................................................ 27\n  FINDING NO. 8 ................................................................................................................ 28\n  RECOMMENDATION NO. 20 ......................................................................................... 30\nCHAPTER 5......................................................................................................................... 31\nOMB CIRCULAR A-130 REQUIREMENTS NOT ALWAYS MET .................................... 31\n  FINDING NO. 9 ................................................................................................................ 31\n  RECOMMENDATION NO. 21 ......................................................................................... 32\n  RECOMMENDATION NO. 22 ......................................................................................... 33\n  FINDING NO. 10 .............................................................................................................. 33\n  RECOMMENDATION NO. 23 ......................................................................................... 35\n  RECOMMENDATION NO. 24 ......................................................................................... 35\nCHAPTER 6......................................................................................................................... 36\nPRIVACY ACT DATA NEEDS TO BE ENCRYPTED........................................................ 36\n  FINDING NO. 11 .............................................................................................................. 36\n  RECOMMENDATION NO. 25 ......................................................................................... 37\nCHAPTER 7......................................................................................................................... 38\nINADEQUATE SEPARATION OF DUTIES EXIST WITHIN ITD....................................... 38\n  FINDING NO. 12 .............................................................................................................. 38\n  RECOMMENDATION NO. 26 ......................................................................................... 39\nEXHIBIT A \xe2\x80\x93 FNS RESPONSE TO DRAFT REPORT ...................................................... 40\nABBREVIATIONS ............................................................................................................... 47\n\n\n\n\nUSDA/OIG-A/27099-18-Hy                                                                                                   Page vi\n\x0c                             INTRODUCTION\n\n                                      The mission of FNS is to provide children and\n        BACKGROUND                    needy families access to a more healthful diet\n                                      through its food assistance programs and\n                                      comprehensive nutrition education efforts.\n          FNS\xe2\x80\x99 food assistance programs account for almost half of the U.S.\n          Department of Agriculture\xe2\x80\x99s (USDA) budget.           Taken together, FNS\xe2\x80\x99\n          programs provide a nutritional safety net for America\xe2\x80\x99s low-income families.\n\n           FNS is responsible for administering 15 domestic food assistance programs.\n           These include the Food Stamp Program (FSP); Special Nutrition Programs\n           which include the Child Nutrition Programs (CNP) and Special Supplemental\n           Nutrition Program for Women, Infants, and Children; Food Donations\n           Programs; and Nutrition Assistance for Puerto Rico. FNS expended\n           program funds totaling more than $32 billion in fiscal year (FY) 2000.\n\n           FNS programs are administered through its national office and seven\n           regional offices. FNS issues program regulations and provides training and\n           assistance to States. Program benefits are delivered under agreements with\n           State agencies who determine program eligibility and distribute benefits.\n           FNS pays the benefit costs and part of the State administrative expenses for\n           most of its food assistance programs.\n\n           Within FNS, the Information Technology Division (ITD) administers the IT\n           program. The five branches of ITD and their responsibilities follow.\n\n           \xe2\x80\xa2   The Systems Administration Branch is responsible for State systems\n               throughout the system\xe2\x80\x99s life cycle. Additional responsibilities include\n               operation of the (1) Anti-Fraud Locator Using Electronic Benefits\n               Transfer Retailer Transactions (ALERT) system, (2) systems quality\n               assurance and configuration management program, and (3) database\n               administration.\n\n           \xe2\x80\xa2   The Application Support Branch is responsible for FNS\xe2\x80\x99 automated\n               systems and the FNS Internet system.\n\n           \xe2\x80\xa2   The Desktop Services Branch is responsible for FNS infrastructure that\n               includes computer equipment, telecommunications, networks, etc. In\n               addition, Desktop Services Branch responsibilities include assisting\n               users in developing small desktop systems, operating a user help desk,\n               and providing office automation support.\nUSDA/OIG-A/27099-18-Hy                                                         Page 1\n\x0c           \xe2\x80\xa2   The Information Services Branch is responsible for the clearance of all\n               agency records and is the FNS Freedom of Information Act point-of-\n               contact.\n\n           \xe2\x80\xa2   The Benefit Redemption Systems Branch (BRSB) is responsible for\n               supporting the food coupon redemption-process of the FSP. This is\n               accomplished through the Store Tracking and Redemption Subsystem\n               (STARS).\n\n           FNS has nine information systems that are critical to FNS\xe2\x80\x99 mission.\n\n           Food Stamp Program Integrated Information System \xe2\x80\x93 is a combination of\n           four mainframe sub-systems used to support the administration and\n           monitoring of the FSP, which handles over $18 billion in appropriated funds\n           on an annual basis. These subsystems are either located at USDA\xe2\x80\x99s\n           National Information Technology Center (NITC) in Kansas City, Missouri or\n           at FNS\xe2\x80\x99 BRSB in Minneapolis, Minnesota.\n           \xe2\x80\xa2 Grantee Reporting Subsystem \xe2\x80\x93 uses data gathered through other\n               subsystems to review the performance of each grantee.\n           \xe2\x80\xa2 Coupon Requisition and Inventory Management Subsystem - tracks\n               information on the inventory of food coupons and associated accounting\n               activities.\n           \xe2\x80\xa2 Disqualified Recipient Subsystem \xe2\x80\x93 tracks disqualified food stamp\n               recipients   through     a    nationwide    database     and    conducts\n               computer-matching activities with State agencies.\n           \xe2\x80\xa2 STARS - records and monitors FSP food coupon redemption activities,\n               records proven regulatory violations by retailers, and monitors\n               administrative actions associated with enforcement of related penalties.\n\n           Special Nutrition Programs Integrated Information System \xe2\x80\x93 is a system\n           used to support the administration and monitoring of Special Nutrition\n           Programs\xe2\x80\x99 food and administrative funds, which were almost $13 billion in\n           FY 2000; and to track program participation statistics. This system is\n           located at USDA\xe2\x80\x99s NITC.\n\n           Food Stamp Quality Control System \xe2\x80\x93 is a system used to store           case\n           information about a sample of households that participate in the FSP.    This\n           system has two components: the mainframe located at NITC which is       used\n           for processing all data submitted by States and the PC-based            data\n           input/data collection system resident at each State office.\n\n           Agency Financial Management System \xe2\x80\x93 this system provides accountability\n           for expenditures of Federal funds; and administration of program grants,\n\nUSDA/OIG-A/27099-18-Hy                                                           Page 2\n\x0c           operating expenses, and personnel compensation and benefits for FNS\n           staff. This system is located at USDA\xe2\x80\x99s NITC.\n\n           FNS Regional Office Administered Programs (ROAP) \xe2\x80\x93 is a modified version\n           of the Florida CNP payment system that is used to interface with other FNS\n           payment and information systems when FNS performs the role of the State\n           agency. FNS directly administers CNPs where State law prohibits a State\n           from administering an FNS program for certain types of sponsors. There are\n           ROAPs for the National School Lunch, Breakfast and Milk Programs in\n           six States; the Summer Food Service Program in three States; and the Child\n           and Adult Care Food Program in one State. ROAP expenditures totaled\n           more than $52 million in FY 2000. This system is located at the FNS\n           Mid-Atlantic Regional Office (MARO) in Robbinsville, New Jersey.\n\n           ALERT \xe2\x80\x93 is a fraud detection decision support system designed to monitor\n           and track authorized electronic retailer transactions between FSP retailers\n           and recipients. The system facilitates management of the retailer portion of\n           the FSP by providing transaction-level information to Federal personnel\n           charged with the responsibility of FSP retailer management and compliance\n           activities. This system is located at the FNS National Office in Alexandria,\n           Virginia.\n\n           These systems and subsystems are considered to contain sensitive data as\n           defined by Office of Management and Budget (OMB) Circular A-130,\n           Management of Federal Information Resources, dated February 1996.\n           There are three factors to be used in considering sensitivity level: integrity,\n           availability, and confidentiality. Integrity is a property of a system that\n           permits effective and reliable development and use. Availability requires that\n           information must be available on a timely basis to meet mission\n           requirements.       Confidential information requires protection from\n           unauthorized disclosure.\n\n            OMB Circular A-123, Management Accountability and Control, dated\n           June 1995, provides guidance on improving the accountability and\n           effectiveness of Federal programs and operations by establishing,\n           assessing, correcting, and reporting on management controls. OMB\n           Circular A-130, Security of Federal Automated Information Resources,\n           Appendix III, dated February 9, 1996, provides government-wide direction\n           on information resources management. The National Institute of Standards\n           and Technology (NIST) manual, dated September 1996, addresses\n           generally accepted principles and practices for securing IT systems. NIST\n           Special Publication 800-18, Guide for Developing Security Plans for\n           Information Technology Systems, dated December 1998, assists agencies\n           in improving protection of information technology resources.        USDA\n\nUSDA/OIG-A/27099-18-Hy                                                            Page 3\n\x0c           Departmental Manual 3140-1, Automated Data Processing (ADP) Security\n           Policy, dated July 1984, provides standards, guidelines, and procedures for\n           the development and administration of ADP security programs.\n\n           FNS has developed two handbooks to assist them in developing an IT\n           security program. FNS Handbook 701, FNS Information Systems Security\n           Policy Handbook, dated October 1996, provides management guidance\n           necessary for maintaining an information systems security program; and\n           FNS Handbook 702, FNS Information Systems Security Standards and\n           Procedures Handbook, dated November 1997, provides step-by-step\n           procedures for implementing an information systems security program.\n\n                                       Our objectives were to: 1) Assess the threat of\n         OBJECTIVES                    penetration of FNS payment/data systems, and\n                                       2) determine the adequacy of security over the\n                                       local and wide area networks (LAN/WAN).\n\n                                         The audit was conducted in accordance with\n             SCOPE                       generally accepted Government auditing\n                                         standards. Fieldwork was performed at the\n                                         FNS National Office in Alexandria, Virginia;\n           MARO, in Robbinsville, New Jersey; and BRSB in Minneapolis, Minnesota.\n           FNS\xe2\x80\x99 web servers, in Washington D.C., were evaluated as a part of Office of\n           Inspector General (OIG) audit, Security Over USDA IT Resources Need\n           Improvement, Audit No. 50099-27-FM, dated March 2001. We selected\n           locations to ensure all nine of FNS\xe2\x80\x99 mission critical systems were reviewed.\n\n           This audit is part of a department-wide audit of IT security. In addition to\n           selected program agencies within USDA, audit work was also conducted at\n           the National Finance Center, NITC, and the Office of Chief Information\n           Officer (OCIO). We reviewed controls over FNS systems located at USDA\xe2\x80\x99s\n           NITC as a part of OIG audit, NITC General Controls Review, FY 2000, Audit\n           No. 88099-03-FM.\n\n                                    We conducted our review by gaining an\n       METHODOLOGY                  understanding of the computing environment at\n                                    FNS, assessing agency planning and oversight\n                                    over Internet/Intranet security, reviewing\n         security over the LANs/WAN, assessing the threat of penetration into FNS\n         sensitive systems and the LANs/WAN, and evaluating Federal information\n         system controls at three computer facilities. We conducted our review\n         through interviews, review of FNS records, and observations. We also\n         applied a software-scanning tool to assess the threat of penetration into\n         FNS\xe2\x80\x99 systems.\n\nUSDA/OIG-A/27099-18-Hy                                                         Page 4\n\x0c                       FINDINGS AND RECOMMENDATIONS\n\n\n     CHAPTER 1                    VULNERABILITY TESTS DISCLOSED NUMEROUS SECURITY\n                                      WEAKNESSES ON SYSTEMS IN FNS\xe2\x80\x99 NETWORK\n\n\n                                                 FNS has systems on its network that have\n                 FINDING NO. 1                   potentially serious security vulnerabilities.\n                                                 Agency officials have not effectively ensured\n                                                 that the FNS operating systems4 are free from\n                    known security vulnerabilities. These vulnerabilities, if left uncorrected,\n                    could jeopardize the security of FNS\xe2\x80\x99 network and its critical and sensitive\n                    financial and program data. FNS systems process, analyze, and support\n                    more than $32 billion in financial and program data on an annual basis.\n\n                      OMB Circular A-1305 requires agencies to implement and maintain an\n                      automated information security program to assure that adequate security is\n                      provided for all agency information collected, processed, transmitted, stored,\n                      or disseminated in general support systems and major applications.\n\n                      To conduct our assessment of FNS\xe2\x80\x99 network and systems at three FNS\n                      locations, we used a commercial off-the-shelf software product which is\n                      designed to identify vulnerabilities associated with various operating\n                      systems. The software is able to perform over 8006 tests for security\n                      vulnerabilities on systems that use Transmission Control Protocol/Internet\n                      Protocol (TCP/IP).\n\n                      We conducted our scans on 2 UNIX systems, 84 Windows NT systems, and\n                      23 routers/switches between June 2000 and January 2001.                 The\n                      assessments, which were conducted from both within the FNS network and\n                      from a location outside its network, revealed 982 vulnerabilities7: 27 high,\n                      243 medium, and 712 low. This included 15 vulnerabilities, 9 medium and\n                      6 low, that could be exploited from outside the FNS network.\n\n\n\n4\n    (e.g. UNIX and Windows NT).\n5\n    OMB Circular A-130, Security of Federal Automated Information Resources, Appendix III, dated February 9,1996.\n6\n    During our vulnerability scans, we periodically updated our software to include additional discovered vulnerabilities. Not all scans\n    conducted may have checked for the more than 800 vulnerabilities that were known at the time of this audit.\n7\n     High-risk vulnerabilities are those that provide unauthorized access to the computer and possibly the network of computers.\n    Medium risk vulnerabilities are those that provide access to sensitive network data that may lead to the exploitation of higher risk\n    vulnerabilities. Low risk vulnerabilities are those that provide access to network data that might be sensitive, but is less likely to\n    lead to higher-risk exploitation.\n\nUSDA/OIG-A/27099-18-Hy                                                                                                         Page 5\n\x0c           The high and medium risk vulnerabilities, if left uncorrected, could allow\n           unauthorized users access to FNS\xe2\x80\x99 network and possibly FNS\xe2\x80\x99 critical and\n           sensitive data. The significant number of low vulnerabilities can also be\n           an indicator of poor system administration.\n\n           Detailed below are a few examples of the high-risk vulnerabilities we\n           disclosed during our scans of the various agency systems:\n\n           \xe2\x80\xa2   One system was accessible using the inherently insecure file transfer\n               protocol. On this system, a default account name could be used to\n               gain access to the system using this protocol. An attacker could use\n               this vulnerability to fill up the system\xe2\x80\x99s hard disk, making it unusable by\n               authorized users, or place a virus or other malicious software that\n               could be executed by a more privileged user.\n\n           \xe2\x80\xa2   A user account on one system had no password assigned to it, leaving\n               it accessible by anyone. Depending on the access privileges on this\n               user account, an attacker could use this vulnerability to access this and\n               other computers on the network.\n\n           \xe2\x80\xa2   One server that was found to have website capabilities was found to\n               have one or more potentially vulnerable scripts. These scripts could\n               be exploited to allow an attacker to execute malicious commands on\n               that server.\n\n           During our scan of FNS\xe2\x80\x99 systems in its national office, a component of its\n           firewall was not functioning and was down for three weeks, leaving only\n           router filtering to protect its network. FNS officials took immediate action\n           to correct the firewall problem. FNS has advised us that they are taking\n           aggressive actions to correct the vulnerabilities we identified during our\n           scans. FNS officials also stated new servers were installed as of\n           April 2001. FNS recently purchased scanning software and will begin\n           performing periodic scans of its systems and network to determine\n           whether identified vulnerabilities have been corrected and whether any\n           additional vulnerabilities are present.\n\n           Periodically, systems need to be updated to incorporate recently released\n           security patches and other software updates. During our visit to the three\n           FNS locations, we noticed that each office was responsible for\n           implementing security patches and configurations for their servers. Under\n           a corporate approach, all servers in all offices would be updated and\n           configured alike. FNS should implement a corporate approach to system\n           configuration. Similar configurations will reduce the amount of individual\n           attention needed when updates or upgrades are needed. At the exit\n\nUSDA/OIG-A/27099-18-Hy                                                            Page 6\n\x0c           conference on May 30, 2001, FNS agreed to establish appropriate\n           controls for identifying and eliminating vulnerabilities in its network.\n\n                                       Take immediate action to eliminate the high and\n  RECOMMENDATION NO. 1                 medium risk vulnerabilities found on FNS\xe2\x80\x99\n                                       systems.\n\n           Agency Response\n\n           All FNS workstations will be upgraded to Microsoft Workstation 2000\n           Professional by December 31, 2001. This will eliminate the ability of a\n           person without proper credentials from accessing FNS systems. This\n           accounts for the majority of the high and medium risk vulnerabilities\n           discovered.      Once Internet Security Systems (ISS) penetration and\n           monitoring software is installed, new penetration studies will be run on all\n           servers and workstations, and any deficiencies will be corrected\n           immediately. Scans will be completed by January 15, 2002 and identified\n           deficiencies will be corrected within 30 days thereafter.\n\n           OIG Position\n\n           Upgrading to Windows 2002, which requires a password to log onto the\n           workstation, would not correct the weaknesses identified by OIG scans or\n           prohibit someone from accessing FNS systems. However, we concur with\n           management decision because the high and medium risk vulnerabilities\n           identified during OIG scans relate to servers that FNS subsequently\n           replaced. Additionally, FNS plans to conduct scans on its new servers and\n           correct identified deficiencies on all servers and critical devices by\n           February 15, 2002.\n\n                                       Establish procedures for conducting periodic\n  RECOMMENDATION NO. 2                 scans at all FNS national, regional and field\n                                       offices where servers are maintained.\n\n           Agency Response\n\n           FNS is participating in the Department\xe2\x80\x99s global contract for ISS software. By\n           September 30, 2001, ISS will be installed and penetration studies will be\n           made on all devices that are licensed under FNS. An operational Handbook\n           will be published by September 30, 2001, which will include procedures for\n           conducting scans of all devices on a quarterly basis. Additionally, scans of\n           servers and more critical devices will be conducted on a weekly basis\n           beginning by October 31, 2001. Initial scanning will be completed by\n\n\n\nUSDA/OIG-A/27099-18-Hy                                                          Page 7\n\x0c           January 15, 2002 and identified deficiencies will be corrected on all servers\n           and critical devices by February 15, 2002.\n\n           OIG Position\n\n           We concur with FNS\xe2\x80\x99 proposed management decision.\n\n                                       Implement a policy to use a corporate level\n  RECOMMENDATION NO. 3                 approach to configuration management.\n\n\n           Agency Response\n\n           Desktop Services Branch of the Information Technology Division of FNS\n           established a Configuration Management Team on January 1, 2001. The\n           team\xe2\x80\x99s charge is to provide design standards for information technology,\n           such as servers, workstations, software products, and printers. These\n           standards will establish a policy and ensure consistent system configuration\n           agency-wide. All standards are documented in the Desktop Services\n           Branch Handbook. The standards will be completed by October 1, 2001.\n\n           OIG Position\n\n           We concur with FNS\xe2\x80\x99 proposed management decision.\n\n\n\n\nUSDA/OIG-A/27099-18-Hy                                                          Page 8\n\x0c     CHAPTER 2                   PHYSICAL SECURITY OF COMPUTER FACILITIES NEEDS\n                                                 IMPROVEMENT\n\n\n                                                           Adequate physical controls have not been\n                FINDING NO. 2                              implemented at two of the locations reviewed.\n                                                           This occurred because door lock controls were\n                                                           not always utilized. As a result, computer\n                                                           Resources are vulnerable to unauthorized\n                                                           access.\n\n                    USDA8 defines computer facilities by type. Type I facilities are major\n                    computer facilities which are operated by non-agency personnel, service\n                    multiple USDA agencies, and have their own specific security policies. The\n                    NITC is considered a Type I facility. Type II computer facilities are agency\n                    specific facilities, including those that have a LAN or other mission critical\n                    system. FNS Handbook 7019 defines the FNS National Office, BRSB, and\n                    its regional offices as Type II facilities. Type III facilities are office spaces\n                    where multifunction workstations and network devices are located.\n\n                    FNS Handbook 70110 requires that access to FNS computer systems and\n                    data be limited to personnel who have clearance. The handbook also\n                    requires that Type II computer facilities be controlled spaces. Only\n                    authorized personnel should enter the computer room unescorted and doors\n                    should be locked to control access. OMB Circular A-12311 requires that\n                    access to resources and records be limited to authorized individuals.\n\n                    Physical security is a vital part of an information systems security program.\n                    Physical security protects computer resources from unauthorized use,\n                    damage, theft, or unauthorized access to computer systems. To ensure that\n                    controls are in place, we interviewed FNS security and computer room\n                    personnel, and observed physical controls to prevent unauthorized access\n                    at three locations: FNS National Office, MARO, and BRSB. The computer\n                    room at FNS National Office contains the ALERT server, LAN server, and\n                    associated hardware and software. The computer room at MARO contains\n                    the ROAP server, LAN server, and associated hardware and software. The\n                    computer room at BRSB contains the mainframe subsystem STARS, LAN\n                    server, and associated hardware and software.\n\n\n\n8\n     USDA Departmental Manual 3140-1, ADP Security Policy, dated July 1984.\n9\n     FNS Handbook 701, FNS Information Systems Security Policy Handbook, Section 310, dated October 1996.\n10\n     FNS Handbook 701, FNS Information Systems Security Policy Handbook, Section 300 and Section 312, dated October 1996.\n11\n     OMB Circular A-123, Management Accountability and Control, revised June 21, 1995.\n\nUSDA/OIG-A/27099-18-Hy                                                                                            Page 9\n\x0c           Two of the computer rooms were vulnerable to unauthorized access during\n           the audit. At one location, a door to the computer room was left unlocked, at\n           least once, during our audit. During the initial weeks of our audit we\n           attempted to enter FNS\xe2\x80\x99 computer rooms. At one location, no one\n           questioned our presence in the computer room for more than five minutes.\n           We were also able to access, within the office suite, a computer and\n           examine files located on the hard drive without a user ID or password. At\n           another location, the combination to the cipher lock for the computer room\xe2\x80\x99s\n           rear entrance was not changed after a contract employee separated from\n           employment in June 2000. FNS does not have procedures for periodically\n           changing the combination of the computer room door lock. After we\n           discussed this issue with FNS personnel in October 2000, the combination\n           was changed. These conditions provide an opportunity for unauthorized\n           personnel to gain access to FNS\xe2\x80\x99 computer facilities.\n\n           An independent contractor conducted a security review of one of FNS\xe2\x80\x99\n           facilities in April 2000. The independent contractor also reported a lack of\n           security to the office suite. FNS responded that a key card system was\n           being implemented. In May 2001 the building key card system was installed\n           and activated.\n\n           FNS needs to establish adequate physical controls to ensure that computer\n           rooms are secured at all times and combination locks are periodically\n           changed. At the exit conference on May 30, 2001, FNS officials stated that\n           they had sent a notice to all employees to keep doors locked in the\n           computer room and agreed to implement other necessary procedures to\n           ensure that adequate physical security controls are implemented, including\n           changing combinations to locks at least quarterly and after an employee\n           leaves the agency.\n\n                                       Establish controls that ensure security officers\n  RECOMMENDATION NO. 4                 and computer room personnel keep computer\n                                       rooms locked at all times.\n\n           Agency Response\n\n           Established policy already covers this area (See FNS Information Systems\n           Security Policy Handbook 701, section 310 and 312) and in the revised FNS\n           Information Systems Security Policy Handbook 701 (see section 110 Policy).\n           Computer room personnel have been briefed to challenge unescorted\n           visitors to FNS controlled office space. In addition, computer security\n           reminders will be issued at least quarterly, beginning in August 2001,\n           regarding keeping computer rooms doors locked.\n\n\n\nUSDA/OIG-A/27099-18-Hy                                                         Page 10\n\x0c           OIG Position\n\n           We concur with FNS\xe2\x80\x99 proposed management decision.\n\n                                       Establish procedures to ensure that security\n  RECOMMENDATION NO. 5                 officers periodically change combinations to\n                                       locks and after personnel are separated from\n                                       employment.\n           Agency Response\n\n           FNS Headquarters and regional facilities are required by FNS\n           Handbook 702 (see section 621) to establish their own procedures regarding\n           physical access.       For instance, FNS Headquarters does not utilize\n           combination door locks to secure its computer room. To ensure regional\n           facilities have such procedures, annual facility plans will be reviewed by\n           August 6, 2001, and any shortcomings will be followed up within 60 days.\n           Additionally, site reviews are performed by FNS security staff on a periodic\n           basis to ensure compliance with the annual facility plan.\n\n           OIG Position\n\n           We concur with FNS\xe2\x80\x99 proposed management decision.\n\n\n\n\nUSDA/OIG-A/27099-18-Hy                                                        Page 11\n\x0c      CHAPTER 3                    SYSTEM ACCESS CONTROLS NEED STRENGTHENING\n\n\n                     FNS has not established adequate controls over access to FNS\xe2\x80\x99 computer\n                     network and systems or the U.S. Department of the Treasury (Treasury)\n                     systems. Active management of system access is critical to ensure that\n                     access is limited to authorized users. FNS did not (1) timely remove user\n                     access for separated employees, (2) adequately evaluate users to\n                     determine continuing need for system access, (3) maintain an updated list of\n                     all users by system, (4) implement adequate logical controls to restrict\n                     access to data and files, or (5) implement adequate compensating controls\n                     for accessing Treasury systems.\n\n                     We reviewed the management of user access and software parameters for\n                     four mission critical systems. We also reviewed the access controls over\n                     Treasury systems used by FNS. Our audit did not detect any unauthorized\n                     access.\n\n                                             FNS has not implemented adequate user\n           FINDING NO. 3                     access controls. FNS did not timely remove\n                                             mainframe access for separated employees,\n     USER ACCESS CONTROLS WERE               maintain a list of systems each individual is\n            NOT ADEQUATE                     authorized to access, or adequately review\n                                             users for continued system access. Agency\n                                             officials advised this occurred because: (1) ITD\n              was not always promptly notified when an employee with mainframe access\n              separated from the agency; (2) FNS\xe2\x80\x99 databases of LAN and mainframe\n              users were not linked increasing the risk that when LAN access was deleted\n              mainframe access may not be removed; and (3) managers were not always\n              identifying all users with a continued need for access in their annual review.\n              As a result, computer resources are vulnerable to unauthorized access.\n\n                     OMB Circular A-12312 requires that policies and procedures used by\n                     agencies reasonably ensure reliable and timely information is obtained,\n                     maintained, reported and used for decision making. Active management\n                     control of log-on IDs is critical to ensure that inactive and unauthorized users\n                     are removed. Management controls should provide reasonable assurance\n                     that assets are safeguarded against unauthorized use.\n\n                     FNS Handbook 70113 requires the information systems security officer to\n                     maintain a master list of all log-on IDs and what systems each individual\n\n12\n     OMB Circular A-123, Management Accountability and Control, revised June 21, 1995.\n13\n     FNS Handbook 701, FNS Information Systems Security Policy Handbook, Section 302, dated October 1996.\n\nUSDA/OIG-A/27099-18-Hy                                                                                      Page 12\n\x0c                    log-on ID is authorized to access. In addition, individual log-on IDs and\n                    passwords are to be deleted from all FNS systems when individual users\n                    depart FNS.\n\n                    NIST principles and practices14 provide a baseline that organizations can\n                    use to establish and review their information technology programs.\n                    Specifically that user IDs that are inactive on the system for a period of\n                    3 months or another specified period of time should be disabled.\n\n                    Mainframe Access\n\n                    We identified five instances where user access was not timely removed from\n                    an FNS system after an employee separated from the agency. Although\n                    ITD removes LAN access at separation, ITD does not always delete the\n                    employee\xe2\x80\x99s mainframe access. This occurs because ITD is not always\n                    notified of this access and they do not maintain a current listing of users, by\n                    system, with mainframe access. In addition, FNS systems are not linked to\n                    allow one deletion for all systems, LAN and any mainframe system.\n                    Therefore, the user\xe2\x80\x99s specific system access would still be accessible by\n                    someone using the separated employee\xe2\x80\x99s log-on ID and password. Also,\n                    there is a risk that the separated employee could log onto a current\n                    employee\xe2\x80\x99s unattended workstation.\n\n                    When an employee/contractor separates from FNS the individual\xe2\x80\x99s\n                    supervisor completes a computer system access document requesting\n                    deletion of the individual\xe2\x80\x99s access, a final salary report, or an exit interview\n                    form. The employee/contractor is debriefed, and the form(s) is provided to\n                    the FNS security officer who then suspends the individual\xe2\x80\x99s LAN access on\n                    the day of separation and deletes the LAN access the next business day.\n                    However, if ITD is not notified that the employee has mainframe access to\n                    several systems, this access may not be deleted.\n\n                    Program managers use a system-generated report (e.g. Security2 report) of\n                    all users and their functional access to review current system access. We\n                    reviewed this report, for one system, as of September 26, 2000, and\n                    identified 98 users, including employees and contractors. We compared the\n                    report to the available personnel rosters and reports of separation from the\n                    agency. We compared the report to the security officer\xe2\x80\x99s list of mainframe\n                    log-on IDs and a NITC list of inactive mainframe users as of July 10, 2000.\n                    We identified one employee who had separated from FNS in May 1998 and\n                    four other employees who separated from FNS prior to January 2000,\n                    whose mainframe log-on IDs were not deleted until July 2000.\n\n14\n     NIST Generally Accepted Principles and Practices for Securing Information Technology Systems manual, Common Security\n     Practice, 3.11, Identification and Authentication, dated September 1996.\n\nUSDA/OIG-A/27099-18-Hy                                                                                       Page 13\n\x0c                    Review of Authorized Users\n\n                    In the analysis of one system\xe2\x80\x99s authorized users (98) we identified that\n                    managers were not adequately reviewing the list of users for continuing\n                    system need. We identified the following:\n\n                    \xe2\x80\xa2   51 users (52 percent) did not have a current mainframe log-on ID, of\n                        which 34 were removed by NITC for inactivity;\n                    \xe2\x80\xa2   15 users were granted access to this system during the period\n                        August 1996 through September 1999 but never accessed the system;\n                        and\n                    \xe2\x80\xa2   12 users were no longer FNS employees.\n\n                    As a result of a recent report, OIG Audit No. 88099-01-FM, NITC General\n                    Controls Review, FY 1998, dated December 1999, NITC implemented a\n                    control to identify and remove mainframe users at NITC who have been\n                    inactive after 180 days. FNS is notified of NITC\xe2\x80\x99s actions to remove\n                    mainframe access, however, FNS has not taken actions to remove inactive\n                    users from its systems.\n\n                    Program managers identify system users and their security levels through a\n                    review of the Security2 report or similar report. FNS officials stated that they\n                    use this list at least once a year to evaluate the appropriateness of user\n                    access. FNS Handbook 70115 states that managers and supervisors are\n                    responsible for determining the need for employees to access a system, but\n                    it does not require a periodic review of authorized users. Our analysis\n                    shows that the Security2 report is not effectively screened for separated\n                    employees or users who no longer have a need for system access, including\n                    inactive users.\n\n                    Recognizing the need to improve system access controls, FNS is interested\n                    in developing a centralized database that maintains and utilizes a master list\n                    of all current users by system. This system will need to work on both\n                    mainframe and client server applications.        FNS is evaluating either\n                    purchasing a commercial off-the-shelf product or developing a prototype to\n                    accomplish this task.\n\n                    FNS needs to strengthen system access controls by requiring that log-on\n                    IDs and passwords be removed for terminated employees and inactive\n                    users, and ensure the security officer maintains a master list of all current\n                    mainframe users by system. At the exit conference on May 30, 2001, FNS\n\n15\n     FNS Handbook 701, FNS Information Systems Security Policy Handbook, Section 270, Non-Information Systems Security\n     Personnel Responsibilities, and Section 309 System Access Security Responsibilities, dated October 1996.\n\nUSDA/OIG-A/27099-18-Hy                                                                                     Page 14\n\x0c           officials agreed to implement necessary procedures to ensure that adequate\n           access controls are implemented.\n\n                                       Implement controls to remove log-on IDs and\n  RECOMMENDATION NO. 6                 passwords from all FNS systems when\n                                       employment terminates.\n\n           Agency Response\n\n           Human Resources has agreed to issue monthly gains and losses reports to\n           the Security Office beginning in August 2001. The Security Office will use\n           this information to remove log-on IDs and passwords from all FNS systems\n           when employment terminates. The Security Office will send out lists of\n           contractor employees to the Contracting Officer\xe2\x80\x99s Representative (COR) in\n           the Agency on a quarterly schedule beginning in September 2001 to verify a\n           current list of contractors.\n\n           OIG Position\n\n           We concur with FNS\xe2\x80\x99 proposed management decision.\n\n                                       Establish controls to ensure the security officer\n  RECOMMENDATION NO. 7                 maintains and utilizes a master list of current\n                                       users by system.\n\n           Agency Response\n\n           FNS will approach this recommendation in two steps. Initially, we are\n           developing a system to capture FNS-674 information in a database. This\n           will provide the capability to track who has access to specific systems.\n           Reports will be available by system and by individual. The information will\n           be updated and maintained by using the monthly gains and losses list from\n           Human Resources and by the quarterly list of active contractors from the\n           CORs. The users will be able to complete an FNS-674 on-line and the data\n           will be captured into the database. We are currently testing the system. We\n           anticipate implementation by December 31, 2001.\n\n           OIG Position\n\n           We concur with FNS\xe2\x80\x99 proposed management decision.\n\n\n\n\nUSDA/OIG-A/27099-18-Hy                                                         Page 15\n\x0c                                                             Implement procedures that require managers to\n      RECOMMENDATION NO. 8                                   perform a critical review of system-generated\n                                                             reports of all users and identify and remove\n                                                             log-on IDs and passwords for all users who no\n                                                             longer have a need for access or who have\n                                                             been identified as inactive.\n\n                     Agency Response\n\n                     FNS will develop and implement a system to ensure that each System\n                     Manager reviews the list of approved users of their system. Log-on IDs and\n                     passwords for all users who no longer have a need for access or who have\n                     been identified as inactive will then be removed. The lists will be provided to\n                     each System Manager semi-annually.            We will begin the cycle by\n                     October 31, 2001.\n\n                     OIG Position\n\n                     We concur with FNS\xe2\x80\x99 proposed management decision.\n\n                                        Weaknesses exist in the logical controls of FNS\n          FINDING NO. 4                 systems. This occurred because adequate\n                                        security password features have not been\n     WEAKNESSES EXIST IN LOGICAL        implemented in two systems and the user ID\n            CONTROLS                    password file for one system was not\n                                        encrypted. FNS officials stated they did not\n                                        activate      these     features    because      of\n             compensating controls (for example, only the system administrator had\n             access to the unencrypted file) and cost considerations. However, these\n             compensating controls do not adequately protect passwords from\n             unauthorized users. As a result, there is a risk that unauthorized individuals\n             could access these systems, alter data, and not be detected.\n\n                     Logical controls involve the use of computer hardware and software to\n                     prevent or detect unauthorized access by requiring users to input user IDs,\n                     passwords, or other identifiers that are linked to predetermined access\n                     privileges. Logical controls should be designed to restrict legitimate users to\n                     the specific systems, programs, and files that they need and prevent others,\n                     such as hackers, from entering the system at all.16\n\n\n\n\n16\n     U.S. General Accounting Office, Federal Information System Controls Audit Manual, dated December 1996.\n\nUSDA/OIG-A/27099-18-Hy                                                                                        Page 16\n\x0c                     FNS Handbook 70117 requires users to change passwords at periodic\n                     intervals. For Type II facilities, passwords should be changed every\n                     90 days. Paragraph B requires that when passwords are issued, the user\n                     should immediately change the password to one known only to the user.\n                     FNS Handbook 70218 requires that passwords be 6 to 8 characters in length\n                     and be changed by the user at least every 90 days, except when following\n                     requirements of other agency computer centers, such as NITC. FNS\n                     Handbook 702 also requires all personnel using FNS information systems to\n                     use a password that is known only to them and not divulge or share their\n                     password with anyone. NIST principles and practices19 provide a baseline\n                     that organizations can use to establish and review their information\n                     technology programs. Specifically, organizations should limit the number of\n                     log-on attempts and configure operating systems to lock out a user ID after a\n                     set number of failed log-on attempts. NIST principles and practices also\n                     state that authentication data (e.g. passwords) should be protected with\n                     access controls and one-way encryption to prevent unauthorized individuals,\n                     including system administrators, or hackers from obtaining data. Current\n                     FNS handbooks do not address encryption. However, FNS is the process of\n                     revising FNS Handbook 701, to incorporate encryption requirements that are\n                     in accordance with NIST standards.\n\n                     The most commonly used means of restricting access to data files and\n                     software programs is through security software. Security software provides\n                     a means of specifying who has access to a system, what types of access\n                     are granted, what standards are in place for passwords, and other limitations\n                     on access to files and programs.\n\n                     We tested the logical controls for four mission critical systems and identified\n                     the following weaknesses in the security password parameters in two\n                     systems.\n\n                     \xe2\x80\xa2   One system does not require passwords to be: composed of more than\n                         one character, changed after initial log-on, and periodically changed\n                         thereafter. Additionally, system password files were not all encrypted.\n                         The system software that is used to gain access consists of\n                         vendor-supplied and contractor developed software. The password file\n                         for the contractor-developed portion is in clear text, which increases the\n                         risk that unauthorized internal or external users may access this data and\n                         use it for unauthorized purposes.\n\n17\n      FNS Handbook 701, FNS Information Systems Security Policy Handbook, Section 302, Log-on and Passwords, paragraph F,\n     dated October 1996.\n18\n     FNS Handbook 702, FNS Information Systems Security Standards and Procedures Handbook, Section 104, Password Standard,\n     dated November 1997.\n19\n     NIST Generally Accepted Principles and Practices for Securing Information Technology Systems manual, Common Security\n     Practice, 3.11.2, Authentication, dated September 1996.\n\nUSDA/OIG-A/27099-18-Hy                                                                                        Page 17\n\x0c           \xe2\x80\xa2   Two systems do not have a feature that limits the number of log-on\n               attempts without a valid password. One system allows an unlimited\n               number of password attempts. Another system will allow three invalid\n               passwords before a user is locked out.           However, a user can\n               immediately return to the log-on menu and again attempt three\n               passwords before being locked out. A user from this system could\n               attempt to log-on indefinitely.\n           \xe2\x80\xa2   Two systems do not have time-out features. As a result, there is a risk\n               that unauthorized personnel can review, modify, or delete system\n               information if a workstation is left unattended.\n\n           We also observed computer workstations at all locations reviewed to\n           determine if passwords were displayed. At one location we observed\n           25 workstations and noted that in one workstation a log-on ID and password\n           was posted next to the employee\xe2\x80\x99s computer. In prior fiscal years, except for\n           FY 2000, FNS conducted security awareness training and distributed notices\n           to remind personnel to protect passwords and log-on IDs from disclosure.\n\n           FNS needs to implement additional logical controls to ensure that passwords\n           have a minimum length, a maximum life, and are immediately changed\n           during the initial log-on. All password files need to be encrypted to prevent\n           unauthorized access to system files or data and during periodic security\n           awareness training all personnel need to be reminded to protect log-on IDs\n           and passwords from disclosure. Subsequent to the audit fieldwork, FNS\n           implemented controls to require minimum password length, maximum\n           password life, change an initially assigned password, and encrypt password\n           files. At the exit conference on May 30, 2001, FNS officials also agreed to\n           implement other necessary logical controls to correct identified weaknesses.\n\n                                       Modify system controls to require password\n  RECOMMENDATION NO. 9                 length of 6 to 8 characters.\n\n\n           Agency Response\n\n           The Agency policy requires passwords on all systems, and that the\n           passwords be at least 6 to 8 characters in length. The systems not currently\n           compliant will be compliant by December 31, 2001.\n\n           OIG Position\n\n           We concur with FNS\xe2\x80\x99 proposed management decision.\n\n\n\n\nUSDA/OIG-A/27099-18-Hy                                                         Page 18\n\x0c                                     Modify system controls to require a maximum\n RECOMMENDATION NO. 10               password life of 90 days.\n\n\n           Agency Response\n\n           All of our systems are required to have a password that expires every\n           90 days, except for NFC which requires users to change their passwords\n           every 45, or every 18 days, depending on their access. The systems not\n           currently compliant will be compliant by December 31, 2001.\n\n           OIG Position\n\n           We concur with FNS\xe2\x80\x99 proposed management decision.\n\n                                     Modify system controls to require that a user\n RECOMMENDATION NO. 11               immediately change an assigned password\n                                     during the initial log-on.\n\n           Agency Response\n\n           The systems not       currently   compliant   will   be   compliant   by\n           December 31, 2001.\n\n           OIG Position\n\n           We concur with FNS\xe2\x80\x99 proposed management decision.\n\n                                     Establish procedures that require password\n RECOMMENDATION NO. 12               files for all systems be encrypted.\n\n\n           Agency Response\n\n           The systems not       currently   compliant   will   be   compliant   by\n           December 31, 2001.\n\n           OIG Position\n\n           We concur with FNS\xe2\x80\x99 proposed management decision.\n\n\n\n\nUSDA/OIG-A/27099-18-Hy                                                     Page 19\n\x0c                                         Implement a time-out feature for all critical\n RECOMMENDATION NO. 13                   systems.\n\n\n            Agency Response\n\n            All mainframe systems currently have a time-out feature. LAN based\n            systems and client server systems will be protected by the workstation\n            security.      All FNS workstations will be upgraded to Microsoft\n            Workstation 2000 Professional by December 31, 2001.                 All FNS\n            workstations will have implemented screen savers. After a period of\n            inactivity, the workstation will be locked, and only the logged-on user or an\n            administrator can unlock the workstation.\n\n            OIG Position\n\n            We concur with FNS\xe2\x80\x99 proposed management decision.\n\n                                         Conduct periodic security awareness training\n RECOMMENDATION NO. 14                   during which personnel are reminded to protect\n                                         passwords and log-on IDs from disclosure.\n\n            Agency Response\n\n            It is FNS policy that security awareness training be conducted on a yearly\n            basis. The FNS Security Office plans to conduct training for all employees\n            during the fourth quarter of the fiscal year. Additional security measures are\n            being planned that will require users to sign a statement certifying that they\n            affirm to protect FNS IDs and passwords. This form will be in use by\n            January 1, 2002.\n\n            OIG Position\n\n            We concur with FNS\xe2\x80\x99 proposed management decision.\n\n                                     FNS     has      not     established    adequate\n       FINDING NO. 5                 compensating    controls over access to Treasury\n                                     systems. Although Treasury allows shared IDs\n IMPROVED ACCESS CONTROLS            and passwords, FNS needs to implement\n  ARE NEEDED FOR TREASURY            additional controls that require periodic review\n          SYSTEMS                    of the need for, and propriety of, access to\n                                     Treasury data.        Without these additional\n                                     controls there is an increased risk that\n          unauthorized access to Treasury data will not be prevented or detected.\n\nUSDA/OIG-A/27099-18-Hy                                                           Page 20\n\x0c                    USDA agencies are required to comply with the standards in the NIST\n                    guide20. This guide recommends the protection of financial transaction\n                    systems through proper security. NIST principles and practices21 state that\n                    it is necessary to have a process for requesting, establishing, and closing\n                    user accounts. Organizations should periodically review all users for\n                    continued need and determine whether accounts are still active. It further\n                    states that an organization should require users to uniquely identify\n                    themselves and recommends that passwords be frequently changed.\n\n                    FNS utilizes five Treasury systems to query and transmit financial data.\n                    These systems are used for transmission of payment data to Treasury and\n                    query the movement of funds. There is no Privacy Act information contained\n                    in these Treasury systems. The data in these systems relate to State\n                    organizations and users and are not individual specific. Treasury provides\n                    all access instructions and controls the access to these systems.\n\n                    We tested controls over access for the Treasury systems at three locations\n                    and noted the following.\n\n                    \xe2\x80\xa2    For one system, ten users at two locations shared two user IDs and\n                         passwords. These same user IDs and passwords have not been\n                         changed for several years.\n                    \xe2\x80\xa2    For one system, one user approved their-own access; FNS procedures\n                         indicate supervisory approval is required.\n                    \xe2\x80\xa2    For four systems, user request documentation was not maintained.\n\n                    Treasury periodically requests the FNS National Office to identify authorized\n                    users of Treasury systems at FNS. However, all locations are not contacted\n                    when preparing this list. As a result, FNS\xe2\x80\x99 controls for ensuring only\n                    authorized users have access to Treasury systems are inadequate. All\n                    locations are not periodically identifying and reviewing the list of authorized\n                    users of Treasury systems for continuing need.\n\n                    FNS maintains system access request documentation for all FNS systems\n                    indefinitely.  Requests for access to Treasury systems should be\n                    maintained for the same period of time.\n\n                    FNS stated that Treasury is implementing, in April 2001, an Intranet version\n                    of one of its systems. This new system will require individual user IDs and\n\n20\n      NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems, dated\n     December 1998.\n21\n     NIST Generally Accepted Principles and Practices for Securing Information Technology Systems manual, Practice 3.5.2,\n     Practice 3.11.1, and Practice 3.11.3, dated September 1996.\n\nUSDA/OIG-A/27099-18-Hy                                                                                       Page 21\n\x0c           passwords, thereby correcting existing problems with shared user IDs and\n           passwords.\n\n           FNS needs to establish additional compensating controls over access to\n           Treasury systems. These should include maintaining Treasury system\n           access documentation, and implementing procedures at all locations for the\n           periodic identification and review of all authorized users of Treasury\n           systems. Without these additional controls unauthorized access to Treasury\n           data is at increased risk of not being prevented or detected. At the exit\n           conference on May 30, 2001, FNS officials agreed to implement necessary\n           access controls over Treasury systems. Subsequently, FNS also provided\n           documentation to support supervisory approval for the identified system user\n           who approved their own Treasury access.\n\n                                       Establish procedures to ensure system access\n RECOMMENDATION NO. 15                 request documentation of FNS users for\n                                       Treasury systems is maintained in the same\n                                       manner as FNS systems.\n           Agency Response\n\n           The Security Office has an existing policy for controlling access to its\n           systems or Treasury Data. The following controls are in place. The agency\n           has the FNS-674 form, which must be completed for all system access or\n           deletions; no action is taken without the FNS-674 being completed; each\n           system is also assigned an authorizing official, which must sign off on all\n           FNS-674 requests; the FNS-674 must be signed by the requestor\xe2\x80\x99s\n           supervisor; and Agency policy also requires periodic reviews of IDs.\n\n           OIG Position\n\n           We concur with FNS\xe2\x80\x99 proposed management decision.\n\n                                       Implement procedures at all locations to\n RECOMMENDATION NO. 16                 periodically identify and review the list of\n                                       authorized users of Treasury systems for\n                                       continued need.\n           Agency Response\n\n           FNS will develop procedures so that system managers review the list of\n           active IDs on a periodic schedule.      See the FNS Responses to\n           Recommendations No. 7 and 8. We anticipate full implementation by\n           December 31, 2001.\n\n\n\n\nUSDA/OIG-A/27099-18-Hy                                                        Page 22\n\x0c           OIG Position\n\n           We concur with FNS\xe2\x80\x99 proposed management decision.\n\n\n\n\nUSDA/OIG-A/27099-18-Hy                                         Page 23\n\x0c      CHAPTER 4                       CONTINGENCY PLANNING NEEDS IMPROVEMENT\n\n\n                     FNS\xe2\x80\x99 planning for contingencies need improvement. FNS has not always\n                     updated or tested its contingency plans in a timely manner nor were\n                     deficiencies identified in its vulnerability assessments always corrected.\n                     Experience has demonstrated that testing a contingency plan can\n                     significantly improve its viability. Untested plans may create a false sense of\n                     ability to recover in a timely manner. As a result, FNS\xe2\x80\x99 computer facilities\n                     are more susceptible to damage or unplanned down time in the event of a\n                     disaster or unexpected events.\n\n                     FNS Handbook 70222 requires contingency plans for each major FNS\n                     information facility. FNS addresses these requirements through a separate\n                     contingency plan for each location. In several instances there are multiple\n                     contingency plans for different systems at the same location. Agency\n                     requirements23 also state that as part of contingency planning, backup\n                     storage and environmental controls should be considered.\n\n                                           FNS has not always updated or tested its\n            FINDING NO. 6                  contingency plans in a timely manner. FNS\n                                           officials advised that this occurred because ITD\n       CONTINGENCY PLANS NEED              has not placed a priority on, or budgeted funds\n        TESTING AND UPDATING               for, contingency planning or established a\n                                           schedule for updating and testing its\n                                           contingency plans. As a result, FNS has\n               reduced assurance that it can minimize damage caused by unexpected and\n               undesirable events that impact information system operations.\n\n                     FNS Handbook 70124 states in part that contingency plans should be tested,\n                     reviewed, and updated at least annually, or when a major change in the\n                     system occurs. FNS Handbook 70225 states that contingency plans are\n                     required at each FNS information system facility to minimize damage\n                     caused by unexpected and undesirable events. FNS Handbook 70226 also\n                     states that emergency plans should be tested annually, including testing fire\n                     fighting, loss control, evacuation, bomb threats, and other emergency\n                     procedures to ensure that plans are adequate and workable and to train\n22\n     FNS Handbook 702, FNS Information Systems Security Standards and Procedures Handbook, Part 301, Contingency Plans,\n     dated November 1997.\n23\n     FNS Handbook 702, FNS Information Systems Security Standards and Procedures Handbook, Part 315, Steps for Developing\n     Contingency Plans, dated November 1997.\n24\n     FNS Handbook 701, FNS Information Systems Security Policy Handbook, Part 811, Contingency Plans, dated October 1996.\n25\n     FNS Handbook 702, FNS Information Systems Security Standards and Procedures Handbook, Part 301, Contingency Plans,\n     dated November 1997.\n26\n     FNS Handbook 702, FNS Information Systems Security Standards and Procedures Handbook, Part 316, Testing Contingency\n     Plans, dated November 1997.\n\nUSDA/OIG-A/27099-18-Hy                                                                                       Page 24\n\x0c                     personnel. In order to ensure that personnel are fully informed about the\n                     system contingency plan, the plan should include the results of testing.\n\n                     OMB Circular A-13027 requires contingency planning by major system. FNS\xe2\x80\x99\n                     mainframe systems are addressed through its national office and BRSB\n                     contingency plans. The MARO prepared a contingency plan for its LAN and\n                     a separate plan for ROAP, a client server system. A contractor prepared the\n                     contingency plan for the ALERT system, a client server system resident at\n                     the FNS National Office.\n\n                     FNS officials stated that it will replace its current Dec AlphaServer\n                     4000 minicomputers with Compaq brand servers by April 1, 2001, in all\n                     locations. Upon installation of the servers FNS will need to update its\n                     contingency plans to incorporate any necessary changes.\n\n                     We identified the following about four systems at the three locations\n                     reviewed.\n\n                     \xe2\x80\xa2    Contingency plans were not updated on an annual basis. Two\n                          contingency plans were updated in 1998 and two in 1999. There have\n                          been changes in one location\xe2\x80\x99s operating environment that have been\n                          completed since the plan was developed in 1998. In FY 2000, this\n                          location upgraded their communication link by switching from token ring\n                          to Ethernet. The location also switched from a shared communication\n                          line (with another USDA agency) to a direct connection to NITC. Another\n                          plan did not include technological changes that have been made in the\n                          system. A third contingency plan listed outdated equipment and an\n                          outdated emergency notification list.\n\n                     \xe2\x80\xa2    Contingency plans did not always include all the mission critical systems\n                          that impact the location\xe2\x80\x99s operations including those that reside at NITC\n                          or that are addressed by another contingency plan.\n\n                     \xe2\x80\xa2    Contingency plans for two systems need to be incorporated into the\n                          location\xe2\x80\x99s contingency plan. The ability to carry out a system\xe2\x80\x99s\n                          contingency plan is dependent, in part, on the location\xe2\x80\x99s LAN\n                          contingency plan.\n\n                     \xe2\x80\xa2    Contingency plans were not always tested on an annual basis. Two\n                          contingency plans were tested in 1998, and the other two were tested in\n                          1999 and 2000, respectively.\n\n\n27\n     OMB Circular A-130, Security of Federal Automated Information Resources, Appendix III, dated February 9, 1996.\n\nUSDA/OIG-A/27099-18-Hy                                                                                                Page 25\n\x0c           \xe2\x80\xa2   Contingency plans did not include the date and results of prior\n               contingency plan testing.\n\n           In April 2000, ITD participated in a contingency planning test at NITC. The\n           test focused on how NITC would respond in case of disaster. FNS also\n           tested its web server at the Washington Service Center in March 2000.\n           However, the results of these tests did not address how FNS would respond\n           to an emergency.\n\n           ITD officials stated that program and computer center managers identified\n           their testing needs and ITD developed a schedule for testing contingency\n           plans in 2001. ITD officials also stated that FNS plans to contract, in\n           FY 2002, for updating contingency plans. At the exit conference on\n           May 30, 2001, FNS officials agreed to implement necessary controls over\n           contingency planning.\n\n                                        Establish controls for ensuring contingency\n RECOMMENDATION NO. 17                  plans are tested, reviewed, and updated at\n                                        least annually, or when a major change in the\n                                        system occurs.\n           Agency Response\n\n           The Security Manager will review the schedule to ensure that contingency\n           plans are tested, reviewed and updated annually or when a major change\n           occurs. This will occur each July, beginning in July 2002, in conjunction with\n           the submission of the annual cyber security plan submission to OCIO.\n\n           OIG Position\n\n           We concur with FNS\xe2\x80\x99 proposed management decision.\n\n                                        Update all contingency plans to include all\n RECOMMENDATION NO. 18                  operating environment changes and system\n                                        improvements. The plans should include the\n                                        results of prior contingency tests.\n           Agency Response\n\n           The Agency will include all operating environment changes and system\n           improvements in this year\xe2\x80\x99s updated plan. We will also include the results of\n           prior contingency tests where possible. All contingency plans will be\n           updated by May 2002.\n\n\n\n\nUSDA/OIG-A/27099-18-Hy                                                          Page 26\n\x0c                    OIG Position\n\n                    We concur with FNS\xe2\x80\x99 proposed management decision.\n\n                                                        For each location, incorporate individual system\n     RECOMMENDATION NO. 19                              contingency plans into one plan.\n\n\n                    Agency Response\n\n                    FNS will incorporate individual system contingency plans into each location\xe2\x80\x99s\n                    contingency plan. The FNS Security Office will review a copy of each\n                    location\xe2\x80\x99s contingency plan. This will be completed by May 2002.\n\n                    OIG Position\n\n                    We concur with FNS\xe2\x80\x99 proposed management decision.\n\n                                          The backup storage site for one computer\n          FINDING NO. 7                   facility is located too close to its primary site.\n                                          According to FNS officials, the backup storage\n         BACKUP STORAGE                   site is used because it is cost-effective and\n     NEEDS TO BE MOVED FOR ONE            convenient. FNS did not consider the threat to\n        COMPUTER FACILITY                 both the primary and backup sites to be\n                                          significant enough to relocate the backup site.\n                                          In case of disaster, location staff may not have\n             access to the data at the computer center or the backup storage site.\n\n                    FNS Handbook 70228 states that off-site storage should be in a location that\n                    provides safe and secure storage for critical systems, including data files\n                    and associated documentation. In selecting an off-site storage location,\n                    FNS should consider the natural disasters that provide a threat to the current\n                    facility. Potential off-site storage locations include other Federal offices with\n                    a secure safe or vault.\n\n                    Production data for this system and the location\xe2\x80\x99s LAN is backed up on\n                    storage tapes every night. Additional backups are performed every\n                    weekend and every month. On a typical night, boxes of storage tapes are\n                    loaded on a hand truck and transported to the backup storage site, a\n                    Federal building located across the street from the primary location. We\n                    were informed that the backup storage tapes are stored in a walk-in safe.\n\n\n28\n     FNS Handbook 702, FNS Information Systems Security Standards and Procedures Handbook, Section 315, Part A, Backup\n     Operations, dated November 1997.\n\nUSDA/OIG-A/27099-18-Hy                                                                                     Page 27\n\x0c           An independent contractor completed a vulnerability assessment of this\n           location\xe2\x80\x99s computer operations in 1998. The independent contractor also\n           identified that the backup storage site was too close to the primary site. If a\n           disaster or crime would occur in the area, FNS staff may likely not be able to\n           access their computer or their backup sites. As a result, FNS agreed to\n           perform a cost benefit study of alternative sites.\n\n           We reviewed FNS\xe2\x80\x99 progress toward identifying an alternative site. FNS staff\n           obtained some information on alternative sites, but did not select a site.\n           They explained that the Federal building storage is free and there is\n           significant convenience in its current location. Because FNS must physically\n           transport a significant number of storage tapes to the backup site, FNS staff\n           would prefer to obtain new technology that would allow 40 times more data\n           storage per tape prior to any relocation of the backup site, thereby making\n           an alternative backup storage site more practical. However, FNS does not\n           have this type of storage technology and there are no indications that it will\n           be obtained in the foreseeable future.\n\n           There is no standard that requires a specific distance between the primary\n           site and the backup storage site. However, backup storage sites at other\n           FNS locations are several miles from the primary site.\n\n           We discussed this issue with the FNS security officer in ITD, who agreed\n           that the backup storage site is too close to the primary site. The security\n           officer stated that a location 20 miles away would be preferable. We\n           recommended a backup site be located outside of the immediate vicinity of\n           the primary facility. With the current site, if there were a natural disaster, a\n           crime scene, or an emergency, both locations would very likely become\n           inaccessible. Effective, June 1, 2001, FNS contracted with an electronic\n           media courier and storage company to store system backup tapes at their\n           site, approximately 12 miles from the FNS location. Therefore, no further\n           recommendation is being made.\n\n                                        One computer facility lacked adequate fire\n        FINDING NO. 8                   suppression in its computer room. FNS has not\n                                        addressed the lack of adequate fire\n ADEQUATE FIRE SUPPRESSION              suppression equipment in its building lease or\n EQUIPMENT IS LACKING IN ONE            how it would handle a fire emergency during\n     COMPUTER FACILITY                  off-hours.   As a result, FNS is placing\n                                        personnel, equipment, and property at risk.\n\n\n\n\nUSDA/OIG-A/27099-18-Hy                                                            Page 28\n\x0c                      FNS Handbook 70129 addresses fire suppression systems. Type II facilities,\n                      which include the FNS National Office and FNS Regional Offices, are to\n                      have the necessary countermeasures in place to prevent, detect, and\n                      suppress fires. Fire suppression in the computer room should include fire\n                      extinguishers and automatic fire suppression systems. A pre-action dry pipe\n                      system is the more acceptable fire suppression system for Type II facilities.\n\n                      We toured the location\xe2\x80\x99s computer room and found that both the computer\n                      room and the office suite lack an overhead fire suppression system. We\n                      observed that there were fire extinguishers on hand in the computer room.\n\n                      FNS performed a vulnerability assessment in 1998, and also identified that\n                      the facility lacks a fire suppression system in its computer room and office\n                      suite. FNS staff recommended a pre-action dry pipe fire suppression\n                      system be installed.\n\n                      A pre-action dry pipe system does not have water in the immediate\n                      overhead pipes. The system is heat activated, therefore, when heat is\n                      detected, water is sent to the sprinkler heads and activated. A traditional\n                      sprinkler system has water in the overhead pipes. Other FNS computer\n                      facilities have either a halon gas fire suppression system or a sprinkler\n                      system.\n\n                      FNS staff responded that they do not have funding to install a fire\n                      suppression system. The facility is a leased building and any sprinkler\n                      system would require substantial remodeling of the computer room and\n                      office suite. Currently, FNS is in the third year of a 5-year lease with another\n                      5-year option.\n\n                      Fire extinguishers present in the building could address a fire emergency if it\n                      occurred during operating hours, between 7 am to 6 pm, Monday through\n                      Friday. FNS staff indicated that if a fire occurred during off-hours the local\n                      fire department, which is an estimated three miles away, would respond to\n                      the fire alarm. The lack of a fire suppression system places unnecessary\n                      risk for FNS personnel, property and equipment.\n\n\n\n\n29\n     FNS Handbook 701, FNS Information Systems Security Policy Handbook, Section 311, Environmental Threats, Part A, Fire, dated\n     October 1996.\n\nUSDA/OIG-A/27099-18-Hy                                                                                              Page 29\n\x0c                                       Implement a fire suppression system at this\n RECOMMENDATION NO. 20                 location.\n\n\n           Agency Response\n\n           The presence of an application server elevates this location to a Type II\n           computer facility. GSA has indicated that they do not require a sprinkler\n           system for buildings less than three floors. However, FNS plans to relocate\n           the application server to another FNS location that already has appropriate\n           fire suppression equipment. We expect to have this move completed by\n           March 2002.\n\n           OIG Position\n\n           We concur with FNS\xe2\x80\x99 proposed management decision.\n\n\n\n\nUSDA/OIG-A/27099-18-Hy                                                       Page 30\n\x0c      CHAPTER 5                  OMB CIRCULAR A-130 REQUIREMENTS NOT ALWAYS MET\n\n\n                     FNS has not always adhered to OMB requirements that risk assessments\n                     and system certifications be completed at least every 3 years. OMB\n                     requires agencies to use a risk-based approach that includes consideration\n                     of the following major factors in risk management: the value of the system,\n                     threats, vulnerabilities, and the effectiveness of current or proposed\n                     safeguards.       The agency administrator must also certify (system\n                     certification) that the system meets OMB, legislative security, and Privacy\n                     Act requirements.\n\n                                       FNS has not adhered to OMB circular\n          FINDING NO. 9                requirements or its own policies that require risk\n                                       assessments on its mission critical computer\n     CURRENT RISK ASSESSMENTS          systems. Five of nine mission critical systems,\n           ARE NEEDED                  which contain critical and sensitive information,\n                                       have not been assessed within the past\n                                       3 years.     FNS officials advised that this\n             occurred because ITD has not placed a priority on, or budgeted funds for,\n             conducting risk assessments or established a schedule for updating these\n             assessments. As a result, the vulnerability of the systems and its data is\n             substantially increased.\n\n                     OMB Circular A-13030 defines risk assessment as a formal, systematic\n                     approach to assessing the vulnerability of information system assets,\n                     identifying threats, quantifying the potential losses from threat realization,\n                     and developing countermeasures to eliminate or reduce the threat or\n                     amount of potential loss. Risk assessments assist information technology\n                     department management to obtain a balance between the impact of risks\n                     and the cost of protective measures. Risk assessments should be\n                     performed every 3 years, or when there is a change in operations or\n                     technology. Further, Presidential Decision Directive (PDD) 6331 requires\n                     agencies to assess the risks to their networks and establish a plan to\n                     mitigate the identified risks.\n\n                     USDA Departmental Manual 314032 requires each agency to submit an\n                     automated data processing security plan or an annual update to an existing\n                     plan by March 31 of each year to the OCIO. As part of the security plan, risk\n                     assessment documentation must be included for each agency Type II\n\n30\n     OMB Circular A-130, Security of Federal Automated Information Resources, Appendix III, dated February 9, 1996.\n31\n     PDD 63, Policy on Critical Infrastructure Protection, dated May 22, 1998.\n32\n     USDA Departmental Manual 3140, ADP Security Policy, Section DM 3140-1.1, Part 9, dated July 1984.\n\nUSDA/OIG-A/27099-18-Hy                                                                                                Page 31\n\x0c                    facility. The USDA Departmental Manual33 also requires agency Type II\n                    facility\xe2\x80\x99s staff to perform risk analyses every 3 years or when an aspect of\n                    the computer system undergoes a significant modification.\n\n                    FNS Handbook 70134 incorporates the risk assessment definition and\n                    requirements, and guidance of OMB Circular A-130 and USDA\n                    Departmental Manual 3140-1. FNS requires that current risk assessments\n                    be reviewed annually and updated as necessary. Less formal assessments\n                    are required during the planning and design phases of software system\n                    development. All results, whether preliminary or final, must be reviewed by\n                    top management for reasonableness, policy adherence, and organizational\n                    unity before the implementation of countermeasures.\n\n                    To determine if risks are periodically assessed, we reviewed FNS\xe2\x80\x99 risk\n                    assessment policies and identified the personnel who performed and\n                    reviewed these assessments. We also reviewed security plans, risk\n                    assessments, and conducted interviews with appropriate FNS personnel.\n\n                    We identified that risk assessments for five of FNS\xe2\x80\x99 nine mission critical\n                    systems were completed in 1997. Two other systems\xe2\x80\x99 risk assessments\n                    were completed in 1998, and two in 1999.\n\n                    Risk assessments are required to be conducted at least every 3 years or\n                    when significant changes are made to the computer system. FNS has not\n                    established procedures for ensuring that risk assessments are timely\n                    completed, including a schedule for conducting these assessments.\n                    Because these assessments have not been performed for all FNS critical\n                    systems, the vulnerability of threats to the confidentiality and integrity of\n                    information, the availability of its systems, and the protection of information\n                    resources are substantially increased. At the exit conference on May 30,\n                    2001, FNS officials agreed to implement necessary procedures over risk\n                    assessments.\n\n                                                        Establish procedures to ensure that risk\n     RECOMMENDATION NO. 21                              assessments of all computer systems are\n                                                        conducted every 3 years or whenever a\n                                                        significant modification is made to the system.\n                    Agency Response\n\n                    FNS will establish a schedule to ensure that risk assessments are\n                    conducted on all computer systems every three years, or whenever a\n\n33\n     USDA Departmental Manual 3140, ADP Security Policy, Appendix III, Section 3140-1.2, part 10, dated July 1984.\n34\n     FNS Handbook 701, FNS Information Systems Security Policy Handbook, dated October 1996; and FNS Handbook 702, FNS\n     Information Systems Security Standards and Procedures Handbook, Chapter 2, dated November 1997.\n\nUSDA/OIG-A/27099-18-Hy                                                                                     Page 32\n\x0c                     significant modification is made to the system. For those systems that have\n                     not had a risk assessment recently, we will perform risk assessments by\n                     May 2002.\n\n                     OIG Position\n\n                     We concur with FNS\xe2\x80\x99 proposed management decision.\n\n                                                             Immediately conduct risk assessments for the\n     RECOMMENDATION NO. 22                                   five mission critical systems that were\n                                                             assessed in 1997.\n\n                     Agency Response\n\n                     Two of the systems are in the process of major redesign. Risk assessments\n                     will be done on the new systems prior to installation. Risk assessments will\n                     be scheduled for the systems as quickly as possible. We will complete the\n                     risk assessments by January 2002.\n\n                     OIG Position\n\n                     We concur with FNS\xe2\x80\x99 proposed management decision.\n\n                                            System certifications and re-certifications have\n          FINDING NO. 10                    not been timely completed for six of FNS\xe2\x80\x99 nine\n                                            mission critical systems. Certifications have not\n     SYSTEM CERTIFICATIONS AND              been obtained for three systems and the\n       RE-CERTIFICATIONS ARE                re-certification for three other systems are past\n              NEEDED                        due. In addition, FNS has not made substantial\n                                            progress toward the re-certification of another\n                                            system that is in the process of major changes.\n             FNS officials advised that this occurred because the certification and\n             re-certification of these systems was not budgeted or planned. As a result,\n             there is reduced assurance that controls are working properly for these\n             systems.\n\n                     OMB Circular A-13035 requires that agencies provide a written authorization\n                     that major systems are ready for use. FNS accomplishes this through the\n                     system certification process. Prior to certification, two considerations must\n                     be addressed. A risk assessment must be completed and reviewed; and\n                     administrative, physical, and technical safeguards must be reviewed and\n                     found sufficient and operational.\n\n\n35\n     OMB Circular A-130, Security of Federal Automated Information Resources, Appendix III, dated February 1996.\n\nUSDA/OIG-A/27099-18-Hy                                                                                             Page 33\n\x0c                    FNS Handbook 70136 states that information systems security certification is\n                    an official statement that approves the security of a major system. Sensitive\n                    automated systems require formal certification prior to the system being\n                    placed in operation. For sensitive systems, a risk assessment should be\n                    completed prior to the system being certified as having adequate technical\n                    and physical safeguards for implementation and production. Certification is\n                    not permanent.        As a system or its security environment changes\n                    re-certification is needed to verify that security protection remains applicable.\n                    Re-certifications should be conducted for major modifications, changes in\n                    the security environment, occurrence of a significant security violation, audit\n                    findings, or every 3 years.\n\n                    FNS Handbook 70237 states that re-certification procedures are the same as\n                    certification procedures, except that portions of the process, depending on\n                    the reason for the certification may be abbreviated. If a change to the\n                    system is the reason for re-certification, the re-certification should focus on\n                    the change and how it impacts the security features of the rest of the\n                    system. If the re-certification is required due to a lapse of 3 years, then it\n                    must include all aspects of the system.\n\n                    In our review of system certifications we noted the following.\n\n                    \xe2\x80\xa2    No system certification was obtained for three systems. These systems\n                         were placed in operation in 1981, 1996, and 1998, respectively.\n\n                    \xe2\x80\xa2    One system last certified in March 1996, was due for re-certification in\n                         March 1999, but it has not been performed. Two other systems last\n                         certified in January 1998 were due for re-certification in January 2001.\n\n                    Additionally, for one system there was a major change in the computing\n                    environment. The system switched from the current mainframe environment\n                    to a client server in April 2001. As of November 2000, no substantial\n                    progress had been made toward the certification of the new system. System\n                    certification is a lengthy process and is required to be completed prior to\n                    placing the system in operation. ITD staff stated that certification for this\n                    system and the re-certification of several other systems, which were due in\n                    January 2001, are a priority to complete during FY 2001.\n\n                    FNS has not established procedures for ensuring that system certifications\n                    and re-certifications are timely completed, including a schedule for\n                    conducting these certifications. At the exit conference on May 30, 2001,\n\n\n36\n     FNS Handbook 701, FNS Information Systems Security Policy Handbook, Part 630, dated October 1996.\n37\n     FNS Handbook 702, FNS Information Systems Security Standards and Procedures Handbook, Part 710, dated November 1997.\n\nUSDA/OIG-A/27099-18-Hy                                                                                         Page 34\n\x0c           FNS officials agreed to implement necessary controls over system\n           certifications and re-certifications.\n\n                                        Establish     controls  to     ensure   system\n RECOMMENDATION NO. 23                  certifications and re-certifications are timely\n                                        completed.\n\n           Agency Response\n\n           FNS will perform system certification/re-certification in conjunction with the\n           risk     assessments          and     contingency   plans     discussed      in\n           Recommendations 17, 18, 20 and 21. We anticipate completing the\n           certification/re-certification by July 2002.\n\n           OIG Position\n\n           We concur with FNS\xe2\x80\x99 proposed management decision.\n\n                                        Establish a schedule and expedite the\n RECOMMENDATION NO. 24                  completion of all required system certifications\n                                        and re-certifications.\n\n           Agency Response\n\n           FNS will establish a schedule by September 30, 2001.\n\n           OIG Position\n\n           We concur with FNS\xe2\x80\x99 proposed management decision.\n\n\n\n\nUSDA/OIG-A/27099-18-Hy                                                           Page 35\n\x0c      CHAPTER 6                          PRIVACY ACT DATA NEEDS TO BE ENCRYPTED\n\n\n                                               FNS has not validated that all data for one\n                FINDING NO. 11                 system is encrypted before transmission to\n                                               NITC. This occurred because FNS has not\n                                               conducted reviews to determine whether all\n                   States have implemented the encryption software provided to them. As a\n                   result, sensitive Privacy Act data may be at risk when sent from States\n                   because it may not be encrypted.\n\n                     OMB Circular A-13038 requires Federal agencies to implement and maintain\n                     a program to ensure adequate security is provided for all agency information\n                     collected, processed, or transmitted in mainframe systems.            USDA\n                     Departmental Regulation39 states that all sensitive data, subject to Privacy\n                     Act considerations must be encrypted before transmission over the Internet.\n\n                     The Privacy Act of 1974 prohibits disclosure of certain information to the\n                     public. This information includes any item, collection, or grouping of\n                     information about an individual that is maintained by an agency, including,\n                     but not limited to, education, financial transactions, medical history, criminal,\n                     and certain types of employment history. In addition, the prohibited\n                     information includes any item of information containing the following about\n                     an individual: individual\xe2\x80\x99s name, identifying number or symbol, finger/voice\n                     print, or photograph.\n\n                     We reviewed the security plans for FNS\xe2\x80\x99 nine mission critical systems and\n                     interviewed ITD personnel to determine whether sensitive data is encrypted\n                     prior to transmission over the Internet. We determined that three of FNS\n                     mission critical systems contain information or data that is protected from\n                     disclosure under the Privacy Act of 1974.\n\n                     Access to three systems\xe2\x80\x99 data is provided via the departmental Intranet from\n                     FNS national, regional and field offices to the system mainframe. Data\n                     encryption exists for data transmission between the FNS national, regional\n                     and field offices, NITC and BRSB. Data encryption also exists for financial\n                     data sent between NITC and the National Finance Center and Treasury\xe2\x80\x99s\n                     financial systems.\n\n                     Twenty State agencies, who receive almost $6 billion in program funds,\n                     have a dial-up emulator, or connection, to NITC for submitting program\n\n38\n     OMB Circular A-130, Security of Federal Automated Information Resources, Appendix III, dated February 9, 1996.\n39\n     USDA Departmental Regulation 3140-2, USDA Internet Security Policy, dated March 7, 1995.\n\nUSDA/OIG-A/27099-18-Hy                                                                                                Page 36\n\x0c           participation data. Those States that do not have a dial-up connection\n           submit their data, manually, to FNS Regional Offices for data entry into the\n           program database. All States that have an Internet protocol address to\n           NITC received encryption software from FNS in October 1999. However,\n           ITD did not ensure that these States have implemented and are utilizing the\n           encryption software. ITD staff stated that they would have to review all the\n           States to identify whether they have implemented the software. At the exit\n           conference on May 30, 2001, FNS officials agreed to require regional offices\n           to perform the necessary reviews to ensure encryption software is installed\n           and being used by all applicable States.\n\n                                       Perform reviews of all States to ensure that\n RECOMMENDATION NO. 25                 encryption software has been installed and is\n                                       being utilized for the transmission of Privacy Act\n                                       data.\n           Agency Response\n\n           FNS will request that the Regional Deputy Security Officers verify with all\n           their State agencies that they are utilizing the appropriate encryption.\n           Agency policy requires either use of appropriate encryption software or\n           mailing Privacy Act data into the FNS Regional Office. The Regional Deputy\n           Security Officers will report back to the Security Office by\n           December 31, 2001.\n\n           OIG Position\n\n           We concur with FNS\xe2\x80\x99 proposed management decision.\n\n\n\n\nUSDA/OIG-A/27099-18-Hy                                                          Page 37\n\x0c      CHAPTER 7                    INADEQUATE SEPARATION OF DUTIES EXIST WITHIN ITD\n\n\n\n                                               Incompatible duties exist within the ITD. The\n                FINDING NO. 12                 network LAN administrator, who is a super user\n                                               of the LAN40, is also the deputy security officer,\n                                               who is responsible for maintaining the security\n                   over the LAN. As a result, there is increased risk that data could be altered\n                   and not be detected.\n\n                      OMB Circular A-12341 requires specific management control standards,\n                      including separation of duties. Key duties and responsibilities in authorizing,\n                      recording, and reviewing official agency transactions should be separated\n                      among individuals. Management controls developed for agency programs\n                      should be logical, applicable, and efficient and effective in accomplishing\n                      management objectives.         U.S. General Accounting Office Federal\n                      Information System Controls Audit Manual42 states different individuals\n                      should generally perform the following functions: system design, application\n                      programming, data security and network administration.\n\n                      ITD identified the individuals responsible for automated system support. We\n                      reviewed computer support functions as identified by ITD and interviewed\n                      responsible personnel, as necessary. We identified that a Desktop Services\n                      Branch staff person is responsible for network administration. The network\n                      administrator is responsible for maintaining a secure and reliable on-line\n                      communications network and serves as liaison with user departments to\n                      resolve network needs and problems. This same individual is also a deputy\n                      security officer who is responsible for the adequacy of security controls over\n                      the LAN. This presents a conflict because the individual is a super user of\n                      the LAN and has access to all data and programs on the LAN and should\n                      not be responsible for controlling security or access to the LAN.\n\n                      A more appropriate separation of controls over network security would be\n                      with the information systems security officer or the deputy information\n                      systems security officer. These individuals are responsible for FNS system\n                      security and are in charge of controlling access to mainframe systems,\n                      contingency planning, security planning, risk assessments, and other similar\n                      duties. At the exit conference on May 30, 2001, FNS officials agreed to\n\n\n40\n     A super user has access to all data and programs on the LAN.\n41\n     OMB Circular A-123, Management Accountability and Control, revised June 21, 1995.\n42\n     U.S. General Accounting Office, Federal Information System Controls Audit Manual, critical element Section SD-1, Segregation\n     Incompatible Duties and Establish Related Policies, dated December 1996.\n\nUSDA/OIG-A/27099-18-Hy                                                                                                 Page 38\n\x0c           evaluate the responsibilities within the ITD and ensure adequate separation\n           of duties.\n\n                                       Delegate the responsibility for data security\n RECOMMENDATION NO. 26                 over the LAN to either the information systems\n                                       security officer or the deputy information\n                                       systems security officer.\n           Agency Response\n\n           The ITD is in the process of reorganizing. The separation of duties will be\n           addressed during the reorganization. The reorganization will be completed\n           by October 31, 2001.\n\n           OIG Position\n\n           We concur with FNS\xe2\x80\x99 proposed management decision.\n\n\n\n\nUSDA/OIG-A/27099-18-Hy                                                       Page 39\n\x0c EXHIBIT A \xe2\x80\x93 FNS RESPONSE TO DRAFT REPORT\n\n                                            Page 1 of 7\n\n\n\n\nUSDA/OIG-A/27099-18-Hy                        Page 40\n\x0c                         Page 2 of 7\n\n\n\n\nUSDA/OIG-A/27099-18-Hy     Page 41\n\x0c                         Page 3 of 7\n\n\n\n\nUSDA/OIG-A/27099-18-Hy     Page 42\n\x0c                         Page 4 of 7\n\n\n\n\nUSDA/OIG-A/27099-18-Hy     Page 43\n\x0c                         Page 5 of 7\n\n\n\n\nUSDA/OIG-A/27099-18-Hy     Page 44\n\x0c                         Page 6 of 7\n\n\n\n\nUSDA/OIG-A/27099-18-Hy     Page 45\n\x0c                         Page 7 of 7\n\n\n\n\nUSDA/OIG-A/27099-18-Hy     Page 46\n\x0c                                              ABBREVIATIONS\n\nADP\n  Automated Data Processing .............................................................................................. 4\nALERT\n  Anti-Fraud Locator Using Electronic Benefits Transfer Retailer Transactions.................. 1\n\nBRSB\n Benefit Redemption Systems Branch ................................................................................ 2\n\nCNP\n Child Nutrition Programs .................................................................................................... 1\n\nFNS\n  Food and Nutrition Service.................................................................................................. i\nFSP\n  Food Stamp Program......................................................................................................... 1\nFY\n  Fiscal Year.......................................................................................................................... 1\n\nIT\n  Information Technology....................................................................................................... i\nITD\n  Information Technology Division........................................................................................ 1\n\nLAN/WAN\n  Local and Wide Area Networks.......................................................................................... 4\n\nMARO\n Mid-Atlantic Regional Office............................................................................................... 3\n\nNIST\n  National Institute of Standards and Technology................................................................ 3\nNITC\n  National Information Technology Center ............................................................................ii\n\nOCIO\n  Office of Chief Information Officer...................................................................................... 4\nOIG\n  Office of Inspector General ................................................................................................ 4\nOMB\n  Office of Management and Budget ..................................................................................... i\n\nUSDA/OIG-A/27099-18-Hy                                                                                                      Page 47\n\x0cROAP\n Regional Office Administered Programs............................................................................ 3\n\nSTARS\n  Store Tracking and Redemption Subsystem ..................................................................... 2\n\nTCP/IP\n  Transmission Control Protocol/Internet Protocol ............................................................... 5\n\nUSDA\n U.S. Department of Agriculture .......................................................................................... 1\n\n\n\n\nUSDA/OIG-A/27099-18-Hy                                                                                          Page 48\n\x0c'